1 /* 2 * TLSv1 client - read handshake message 3 * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/md5.h" 13 #include "crypto/sha1.h" 14 #include "crypto/sha256.h" 15 #include "crypto/tls.h" 16 #include "x509v3.h" 17 #include "tlsv1_common.h" 18 #include "tlsv1_record.h" 19 #include "tlsv1_client.h" 20 #include "tlsv1_client_i.h" 21 22 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 23 const u8 *in_data, size_t *in_len); 24 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 25 const u8 *in_data, size_t *in_len); 26 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 27 const u8 *in_data, size_t *in_len); 28 29 30 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct, 31 const u8 *in_data, size_t *in_len) 32 { 33 const u8 *pos, *end; 34 size_t left, len, i; 35 u16 cipher_suite; 36 u16 tls_version; 37 38 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 39 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 40 "received content type 0x%x", ct); 41 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 42 TLS_ALERT_UNEXPECTED_MESSAGE); 43 return -1; 44 } 45 46 pos = in_data; 47 left = *in_len; 48 49 if (left < 4) 50 goto decode_error; 51 52 /* HandshakeType msg_type */ 53 if (*pos != TLS_HANDSHAKE_TYPE_SERVER_HELLO) { 54 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 55 "message %d (expected ServerHello)", *pos); 56 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 57 TLS_ALERT_UNEXPECTED_MESSAGE); 58 return -1; 59 } 60 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHello"); 61 pos++; 62 /* uint24 length */ 63 len = WPA_GET_BE24(pos); 64 pos += 3; 65 left -= 4; 66 67 if (len > left) 68 goto decode_error; 69 70 /* body - ServerHello */ 71 72 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerHello", pos, len); 73 end = pos + len; 74 75 /* ProtocolVersion server_version */ 76 if (end - pos < 2) 77 goto decode_error; 78 tls_version = WPA_GET_BE16(pos); 79 if (!tls_version_ok(tls_version)) { 80 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in " 81 "ServerHello %u.%u", pos[0], pos[1]); 82 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 83 TLS_ALERT_PROTOCOL_VERSION); 84 return -1; 85 } 86 pos += 2; 87 88 wpa_printf(MSG_DEBUG, "TLSv1: Using TLS v%s", 89 tls_version_str(tls_version)); 90 conn->rl.tls_version = tls_version; 91 92 /* Random random */ 93 if (end - pos < TLS_RANDOM_LEN) 94 goto decode_error; 95 96 os_memcpy(conn->server_random, pos, TLS_RANDOM_LEN); 97 pos += TLS_RANDOM_LEN; 98 wpa_hexdump(MSG_MSGDUMP, "TLSv1: server_random", 99 conn->server_random, TLS_RANDOM_LEN); 100 101 /* SessionID session_id */ 102 if (end - pos < 1) 103 goto decode_error; 104 if (end - pos < 1 + *pos || *pos > TLS_SESSION_ID_MAX_LEN) 105 goto decode_error; 106 if (conn->session_id_len && conn->session_id_len == *pos && 107 os_memcmp(conn->session_id, pos + 1, conn->session_id_len) == 0) { 108 pos += 1 + conn->session_id_len; 109 wpa_printf(MSG_DEBUG, "TLSv1: Resuming old session"); 110 conn->session_resumed = 1; 111 } else { 112 conn->session_id_len = *pos; 113 pos++; 114 os_memcpy(conn->session_id, pos, conn->session_id_len); 115 pos += conn->session_id_len; 116 } 117 wpa_hexdump(MSG_MSGDUMP, "TLSv1: session_id", 118 conn->session_id, conn->session_id_len); 119 120 /* CipherSuite cipher_suite */ 121 if (end - pos < 2) 122 goto decode_error; 123 cipher_suite = WPA_GET_BE16(pos); 124 pos += 2; 125 for (i = 0; i < conn->num_cipher_suites; i++) { 126 if (cipher_suite == conn->cipher_suites[i]) 127 break; 128 } 129 if (i == conn->num_cipher_suites) { 130 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 131 "cipher suite 0x%04x", cipher_suite); 132 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 133 TLS_ALERT_ILLEGAL_PARAMETER); 134 return -1; 135 } 136 137 if (conn->session_resumed && cipher_suite != conn->prev_cipher_suite) { 138 wpa_printf(MSG_DEBUG, "TLSv1: Server selected a different " 139 "cipher suite for a resumed connection (0x%04x != " 140 "0x%04x)", cipher_suite, conn->prev_cipher_suite); 141 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 142 TLS_ALERT_ILLEGAL_PARAMETER); 143 return -1; 144 } 145 146 if (tlsv1_record_set_cipher_suite(&conn->rl, cipher_suite) < 0) { 147 wpa_printf(MSG_DEBUG, "TLSv1: Failed to set CipherSuite for " 148 "record layer"); 149 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 150 TLS_ALERT_INTERNAL_ERROR); 151 return -1; 152 } 153 154 conn->prev_cipher_suite = cipher_suite; 155 156 /* CompressionMethod compression_method */ 157 if (end - pos < 1) 158 goto decode_error; 159 if (*pos != TLS_COMPRESSION_NULL) { 160 wpa_printf(MSG_INFO, "TLSv1: Server selected unexpected " 161 "compression 0x%02x", *pos); 162 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 163 TLS_ALERT_ILLEGAL_PARAMETER); 164 return -1; 165 } 166 pos++; 167 168 if (end != pos) { 169 /* TODO: ServerHello extensions */ 170 wpa_hexdump(MSG_DEBUG, "TLSv1: Unexpected extra data in the " 171 "end of ServerHello", pos, end - pos); 172 goto decode_error; 173 } 174 175 if (conn->session_ticket_included && conn->session_ticket_cb) { 176 /* TODO: include SessionTicket extension if one was included in 177 * ServerHello */ 178 int res = conn->session_ticket_cb( 179 conn->session_ticket_cb_ctx, NULL, 0, 180 conn->client_random, conn->server_random, 181 conn->master_secret); 182 if (res < 0) { 183 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket callback " 184 "indicated failure"); 185 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 186 TLS_ALERT_HANDSHAKE_FAILURE); 187 return -1; 188 } 189 conn->use_session_ticket = !!res; 190 } 191 192 if ((conn->session_resumed || conn->use_session_ticket) && 193 tls_derive_keys(conn, NULL, 0)) { 194 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive keys"); 195 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 196 TLS_ALERT_INTERNAL_ERROR); 197 return -1; 198 } 199 200 *in_len = end - in_data; 201 202 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 203 SERVER_CHANGE_CIPHER_SPEC : SERVER_CERTIFICATE; 204 205 return 0; 206 207 decode_error: 208 wpa_printf(MSG_DEBUG, "TLSv1: Failed to decode ServerHello"); 209 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 210 return -1; 211 } 212 213 214 static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, 215 const u8 *in_data, size_t *in_len) 216 { 217 const u8 *pos, *end; 218 size_t left, len, list_len, cert_len, idx; 219 u8 type; 220 struct x509_certificate *chain = NULL, *last = NULL, *cert; 221 int reason; 222 223 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 224 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 225 "received content type 0x%x", ct); 226 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 227 TLS_ALERT_UNEXPECTED_MESSAGE); 228 return -1; 229 } 230 231 pos = in_data; 232 left = *in_len; 233 234 if (left < 4) { 235 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate message " 236 "(len=%lu)", (unsigned long) left); 237 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 238 return -1; 239 } 240 241 type = *pos++; 242 len = WPA_GET_BE24(pos); 243 pos += 3; 244 left -= 4; 245 246 if (len > left) { 247 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected Certificate message " 248 "length (len=%lu != left=%lu)", 249 (unsigned long) len, (unsigned long) left); 250 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 251 return -1; 252 } 253 254 if (type == TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) 255 return tls_process_server_key_exchange(conn, ct, in_data, 256 in_len); 257 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 258 return tls_process_certificate_request(conn, ct, in_data, 259 in_len); 260 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 261 return tls_process_server_hello_done(conn, ct, in_data, 262 in_len); 263 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE) { 264 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 265 "message %d (expected Certificate/" 266 "ServerKeyExchange/CertificateRequest/" 267 "ServerHelloDone)", type); 268 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 269 TLS_ALERT_UNEXPECTED_MESSAGE); 270 return -1; 271 } 272 273 wpa_printf(MSG_DEBUG, 274 "TLSv1: Received Certificate (certificate_list len %lu)", 275 (unsigned long) len); 276 277 /* 278 * opaque ASN.1Cert<2^24-1>; 279 * 280 * struct { 281 * ASN.1Cert certificate_list<1..2^24-1>; 282 * } Certificate; 283 */ 284 285 end = pos + len; 286 287 if (end - pos < 3) { 288 wpa_printf(MSG_DEBUG, "TLSv1: Too short Certificate " 289 "(left=%lu)", (unsigned long) left); 290 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 291 return -1; 292 } 293 294 list_len = WPA_GET_BE24(pos); 295 pos += 3; 296 297 if ((size_t) (end - pos) != list_len) { 298 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate_list " 299 "length (len=%lu left=%lu)", 300 (unsigned long) list_len, 301 (unsigned long) (end - pos)); 302 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 303 return -1; 304 } 305 306 idx = 0; 307 while (pos < end) { 308 if (end - pos < 3) { 309 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 310 "certificate_list"); 311 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 312 TLS_ALERT_DECODE_ERROR); 313 x509_certificate_chain_free(chain); 314 return -1; 315 } 316 317 cert_len = WPA_GET_BE24(pos); 318 pos += 3; 319 320 if ((size_t) (end - pos) < cert_len) { 321 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected certificate " 322 "length (len=%lu left=%lu)", 323 (unsigned long) cert_len, 324 (unsigned long) (end - pos)); 325 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 326 TLS_ALERT_DECODE_ERROR); 327 x509_certificate_chain_free(chain); 328 return -1; 329 } 330 331 wpa_printf(MSG_DEBUG, "TLSv1: Certificate %lu (len %lu)", 332 (unsigned long) idx, (unsigned long) cert_len); 333 334 if (idx == 0) { 335 crypto_public_key_free(conn->server_rsa_key); 336 if (tls_parse_cert(pos, cert_len, 337 &conn->server_rsa_key)) { 338 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 339 "the certificate"); 340 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 341 TLS_ALERT_BAD_CERTIFICATE); 342 x509_certificate_chain_free(chain); 343 return -1; 344 } 345 } 346 347 cert = x509_certificate_parse(pos, cert_len); 348 if (cert == NULL) { 349 wpa_printf(MSG_DEBUG, "TLSv1: Failed to parse " 350 "the certificate"); 351 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 352 TLS_ALERT_BAD_CERTIFICATE); 353 x509_certificate_chain_free(chain); 354 return -1; 355 } 356 357 if (last == NULL) 358 chain = cert; 359 else 360 last->next = cert; 361 last = cert; 362 363 idx++; 364 pos += cert_len; 365 } 366 367 if (conn->cred && 368 x509_certificate_chain_validate(conn->cred->trusted_certs, chain, 369 &reason, conn->disable_time_checks) 370 < 0) { 371 int tls_reason; 372 wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " 373 "validation failed (reason=%d)", reason); 374 switch (reason) { 375 case X509_VALIDATE_BAD_CERTIFICATE: 376 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 377 break; 378 case X509_VALIDATE_UNSUPPORTED_CERTIFICATE: 379 tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE; 380 break; 381 case X509_VALIDATE_CERTIFICATE_REVOKED: 382 tls_reason = TLS_ALERT_CERTIFICATE_REVOKED; 383 break; 384 case X509_VALIDATE_CERTIFICATE_EXPIRED: 385 tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED; 386 break; 387 case X509_VALIDATE_CERTIFICATE_UNKNOWN: 388 tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN; 389 break; 390 case X509_VALIDATE_UNKNOWN_CA: 391 tls_reason = TLS_ALERT_UNKNOWN_CA; 392 break; 393 default: 394 tls_reason = TLS_ALERT_BAD_CERTIFICATE; 395 break; 396 } 397 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, tls_reason); 398 x509_certificate_chain_free(chain); 399 return -1; 400 } 401 402 x509_certificate_chain_free(chain); 403 404 *in_len = end - in_data; 405 406 conn->state = SERVER_KEY_EXCHANGE; 407 408 return 0; 409 } 410 411 412 static unsigned int count_bits(const u8 *val, size_t len) 413 { 414 size_t i; 415 unsigned int bits; 416 u8 tmp; 417 418 for (i = 0; i < len; i++) { 419 if (val[i]) 420 break; 421 } 422 if (i == len) 423 return 0; 424 425 bits = (len - i - 1) * 8; 426 tmp = val[i]; 427 while (tmp) { 428 bits++; 429 tmp >>= 1; 430 } 431 432 return bits; 433 } 434 435 436 static int tlsv1_process_diffie_hellman(struct tlsv1_client *conn, 437 const u8 *buf, size_t len, 438 tls_key_exchange key_exchange) 439 { 440 const u8 *pos, *end, *server_params, *server_params_end; 441 u8 alert; 442 unsigned int bits; 443 u16 val; 444 445 tlsv1_client_free_dh(conn); 446 447 pos = buf; 448 end = buf + len; 449 450 if (end - pos < 3) 451 goto fail; 452 server_params = pos; 453 val = WPA_GET_BE16(pos); 454 pos += 2; 455 if (val == 0 || val > (size_t) (end - pos)) { 456 wpa_printf(MSG_DEBUG, "TLSv1: Invalid dh_p length %u", val); 457 goto fail; 458 } 459 conn->dh_p_len = val; 460 bits = count_bits(pos, conn->dh_p_len); 461 if (bits < 768) { 462 wpa_printf(MSG_INFO, "TLSv1: Reject under 768-bit DH prime (insecure; only %u bits)", 463 bits); 464 wpa_hexdump(MSG_DEBUG, "TLSv1: Rejected DH prime", 465 pos, conn->dh_p_len); 466 goto fail; 467 } 468 conn->dh_p = os_malloc(conn->dh_p_len); 469 if (conn->dh_p == NULL) 470 goto fail; 471 os_memcpy(conn->dh_p, pos, conn->dh_p_len); 472 pos += conn->dh_p_len; 473 wpa_hexdump(MSG_DEBUG, "TLSv1: DH p (prime)", 474 conn->dh_p, conn->dh_p_len); 475 476 if (end - pos < 3) 477 goto fail; 478 val = WPA_GET_BE16(pos); 479 pos += 2; 480 if (val == 0 || val > (size_t) (end - pos)) 481 goto fail; 482 conn->dh_g_len = val; 483 conn->dh_g = os_malloc(conn->dh_g_len); 484 if (conn->dh_g == NULL) 485 goto fail; 486 os_memcpy(conn->dh_g, pos, conn->dh_g_len); 487 pos += conn->dh_g_len; 488 wpa_hexdump(MSG_DEBUG, "TLSv1: DH g (generator)", 489 conn->dh_g, conn->dh_g_len); 490 if (conn->dh_g_len == 1 && conn->dh_g[0] < 2) 491 goto fail; 492 493 if (end - pos < 3) 494 goto fail; 495 val = WPA_GET_BE16(pos); 496 pos += 2; 497 if (val == 0 || val > (size_t) (end - pos)) 498 goto fail; 499 conn->dh_ys_len = val; 500 conn->dh_ys = os_malloc(conn->dh_ys_len); 501 if (conn->dh_ys == NULL) 502 goto fail; 503 os_memcpy(conn->dh_ys, pos, conn->dh_ys_len); 504 pos += conn->dh_ys_len; 505 wpa_hexdump(MSG_DEBUG, "TLSv1: DH Ys (server's public value)", 506 conn->dh_ys, conn->dh_ys_len); 507 server_params_end = pos; 508 509 if (key_exchange == TLS_KEY_X_DHE_RSA) { 510 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 511 int hlen; 512 513 if (conn->rl.tls_version == TLS_VERSION_1_2) { 514 #ifdef CONFIG_TLSV12 515 /* 516 * RFC 5246, 4.7: 517 * TLS v1.2 adds explicit indication of the used 518 * signature and hash algorithms. 519 * 520 * struct { 521 * HashAlgorithm hash; 522 * SignatureAlgorithm signature; 523 * } SignatureAndHashAlgorithm; 524 */ 525 if (end - pos < 2) 526 goto fail; 527 if (pos[0] != TLS_HASH_ALG_SHA256 || 528 pos[1] != TLS_SIGN_ALG_RSA) { 529 wpa_printf(MSG_DEBUG, "TLSv1.2: Unsupported hash(%u)/signature(%u) algorithm", 530 pos[0], pos[1]); 531 goto fail; 532 } 533 pos += 2; 534 535 hlen = tlsv12_key_x_server_params_hash( 536 conn->rl.tls_version, conn->client_random, 537 conn->server_random, server_params, 538 server_params_end - server_params, hash); 539 #else /* CONFIG_TLSV12 */ 540 goto fail; 541 #endif /* CONFIG_TLSV12 */ 542 } else { 543 hlen = tls_key_x_server_params_hash( 544 conn->rl.tls_version, conn->client_random, 545 conn->server_random, server_params, 546 server_params_end - server_params, hash); 547 } 548 549 if (hlen < 0) 550 goto fail; 551 wpa_hexdump(MSG_MSGDUMP, "TLSv1: ServerKeyExchange hash", 552 hash, hlen); 553 554 if (tls_verify_signature(conn->rl.tls_version, 555 conn->server_rsa_key, 556 hash, hlen, pos, end - pos, 557 &alert) < 0) 558 goto fail; 559 } 560 561 return 0; 562 563 fail: 564 wpa_printf(MSG_DEBUG, "TLSv1: Processing DH params failed"); 565 tlsv1_client_free_dh(conn); 566 return -1; 567 } 568 569 570 static int tls_process_server_key_exchange(struct tlsv1_client *conn, u8 ct, 571 const u8 *in_data, size_t *in_len) 572 { 573 const u8 *pos, *end; 574 size_t left, len; 575 u8 type; 576 const struct tls_cipher_suite *suite; 577 578 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 579 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 580 "received content type 0x%x", ct); 581 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 582 TLS_ALERT_UNEXPECTED_MESSAGE); 583 return -1; 584 } 585 586 pos = in_data; 587 left = *in_len; 588 589 if (left < 4) { 590 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerKeyExchange " 591 "(Left=%lu)", (unsigned long) left); 592 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 593 return -1; 594 } 595 596 type = *pos++; 597 len = WPA_GET_BE24(pos); 598 pos += 3; 599 left -= 4; 600 601 if (len > left) { 602 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerKeyExchange " 603 "length (len=%lu != left=%lu)", 604 (unsigned long) len, (unsigned long) left); 605 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 606 return -1; 607 } 608 609 end = pos + len; 610 611 if (type == TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) 612 return tls_process_certificate_request(conn, ct, in_data, 613 in_len); 614 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 615 return tls_process_server_hello_done(conn, ct, in_data, 616 in_len); 617 if (type != TLS_HANDSHAKE_TYPE_SERVER_KEY_EXCHANGE) { 618 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 619 "message %d (expected ServerKeyExchange/" 620 "CertificateRequest/ServerHelloDone)", type); 621 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 622 TLS_ALERT_UNEXPECTED_MESSAGE); 623 return -1; 624 } 625 626 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerKeyExchange"); 627 628 if (!tls_server_key_exchange_allowed(conn->rl.cipher_suite)) { 629 wpa_printf(MSG_DEBUG, "TLSv1: ServerKeyExchange not allowed " 630 "with the selected cipher suite"); 631 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 632 TLS_ALERT_UNEXPECTED_MESSAGE); 633 return -1; 634 } 635 636 wpa_hexdump(MSG_DEBUG, "TLSv1: ServerKeyExchange", pos, len); 637 suite = tls_get_cipher_suite(conn->rl.cipher_suite); 638 if (suite && (suite->key_exchange == TLS_KEY_X_DH_anon || 639 suite->key_exchange == TLS_KEY_X_DHE_RSA)) { 640 if (tlsv1_process_diffie_hellman(conn, pos, len, 641 suite->key_exchange) < 0) { 642 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 643 TLS_ALERT_DECODE_ERROR); 644 return -1; 645 } 646 } else { 647 wpa_printf(MSG_DEBUG, "TLSv1: UnexpectedServerKeyExchange"); 648 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 649 TLS_ALERT_UNEXPECTED_MESSAGE); 650 return -1; 651 } 652 653 *in_len = end - in_data; 654 655 conn->state = SERVER_CERTIFICATE_REQUEST; 656 657 return 0; 658 } 659 660 661 static int tls_process_certificate_request(struct tlsv1_client *conn, u8 ct, 662 const u8 *in_data, size_t *in_len) 663 { 664 const u8 *pos, *end; 665 size_t left, len; 666 u8 type; 667 668 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 669 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 670 "received content type 0x%x", ct); 671 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 672 TLS_ALERT_UNEXPECTED_MESSAGE); 673 return -1; 674 } 675 676 pos = in_data; 677 left = *in_len; 678 679 if (left < 4) { 680 wpa_printf(MSG_DEBUG, "TLSv1: Too short CertificateRequest " 681 "(left=%lu)", (unsigned long) left); 682 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 683 return -1; 684 } 685 686 type = *pos++; 687 len = WPA_GET_BE24(pos); 688 pos += 3; 689 left -= 4; 690 691 if (len > left) { 692 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in CertificateRequest " 693 "length (len=%lu != left=%lu)", 694 (unsigned long) len, (unsigned long) left); 695 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 696 return -1; 697 } 698 699 end = pos + len; 700 701 if (type == TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) 702 return tls_process_server_hello_done(conn, ct, in_data, 703 in_len); 704 if (type != TLS_HANDSHAKE_TYPE_CERTIFICATE_REQUEST) { 705 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 706 "message %d (expected CertificateRequest/" 707 "ServerHelloDone)", type); 708 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 709 TLS_ALERT_UNEXPECTED_MESSAGE); 710 return -1; 711 } 712 713 wpa_printf(MSG_DEBUG, "TLSv1: Received CertificateRequest"); 714 715 conn->certificate_requested = 1; 716 717 *in_len = end - in_data; 718 719 conn->state = SERVER_HELLO_DONE; 720 721 return 0; 722 } 723 724 725 static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct, 726 const u8 *in_data, size_t *in_len) 727 { 728 const u8 *pos, *end; 729 size_t left, len; 730 u8 type; 731 732 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 733 wpa_printf(MSG_DEBUG, "TLSv1: Expected Handshake; " 734 "received content type 0x%x", ct); 735 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 736 TLS_ALERT_UNEXPECTED_MESSAGE); 737 return -1; 738 } 739 740 pos = in_data; 741 left = *in_len; 742 743 if (left < 4) { 744 wpa_printf(MSG_DEBUG, "TLSv1: Too short ServerHelloDone " 745 "(left=%lu)", (unsigned long) left); 746 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 747 return -1; 748 } 749 750 type = *pos++; 751 len = WPA_GET_BE24(pos); 752 pos += 3; 753 left -= 4; 754 755 if (len > left) { 756 wpa_printf(MSG_DEBUG, "TLSv1: Mismatch in ServerHelloDone " 757 "length (len=%lu != left=%lu)", 758 (unsigned long) len, (unsigned long) left); 759 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 760 return -1; 761 } 762 end = pos + len; 763 764 if (type != TLS_HANDSHAKE_TYPE_SERVER_HELLO_DONE) { 765 wpa_printf(MSG_DEBUG, "TLSv1: Received unexpected handshake " 766 "message %d (expected ServerHelloDone)", type); 767 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 768 TLS_ALERT_UNEXPECTED_MESSAGE); 769 return -1; 770 } 771 772 wpa_printf(MSG_DEBUG, "TLSv1: Received ServerHelloDone"); 773 774 *in_len = end - in_data; 775 776 conn->state = CLIENT_KEY_EXCHANGE; 777 778 return 0; 779 } 780 781 782 static int tls_process_server_change_cipher_spec(struct tlsv1_client *conn, 783 u8 ct, const u8 *in_data, 784 size_t *in_len) 785 { 786 const u8 *pos; 787 size_t left; 788 789 if (ct != TLS_CONTENT_TYPE_CHANGE_CIPHER_SPEC) { 790 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 791 "received content type 0x%x", ct); 792 if (conn->use_session_ticket) { 793 int res; 794 wpa_printf(MSG_DEBUG, "TLSv1: Server may have " 795 "rejected SessionTicket"); 796 conn->use_session_ticket = 0; 797 798 /* Notify upper layers that SessionTicket failed */ 799 res = conn->session_ticket_cb( 800 conn->session_ticket_cb_ctx, NULL, 0, NULL, 801 NULL, NULL); 802 if (res < 0) { 803 wpa_printf(MSG_DEBUG, "TLSv1: SessionTicket " 804 "callback indicated failure"); 805 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 806 TLS_ALERT_HANDSHAKE_FAILURE); 807 return -1; 808 } 809 810 conn->state = SERVER_CERTIFICATE; 811 return tls_process_certificate(conn, ct, in_data, 812 in_len); 813 } 814 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 815 TLS_ALERT_UNEXPECTED_MESSAGE); 816 return -1; 817 } 818 819 pos = in_data; 820 left = *in_len; 821 822 if (left < 1) { 823 wpa_printf(MSG_DEBUG, "TLSv1: Too short ChangeCipherSpec"); 824 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR); 825 return -1; 826 } 827 828 if (*pos != TLS_CHANGE_CIPHER_SPEC) { 829 wpa_printf(MSG_DEBUG, "TLSv1: Expected ChangeCipherSpec; " 830 "received data 0x%x", *pos); 831 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 832 TLS_ALERT_UNEXPECTED_MESSAGE); 833 return -1; 834 } 835 836 wpa_printf(MSG_DEBUG, "TLSv1: Received ChangeCipherSpec"); 837 if (tlsv1_record_change_read_cipher(&conn->rl) < 0) { 838 wpa_printf(MSG_DEBUG, "TLSv1: Failed to change read cipher " 839 "for record layer"); 840 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 841 TLS_ALERT_INTERNAL_ERROR); 842 return -1; 843 } 844 845 *in_len = pos + 1 - in_data; 846 847 conn->state = SERVER_FINISHED; 848 849 return 0; 850 } 851 852 853 static int tls_process_server_finished(struct tlsv1_client *conn, u8 ct, 854 const u8 *in_data, size_t *in_len) 855 { 856 const u8 *pos, *end; 857 size_t left, len, hlen; 858 u8 verify_data[TLS_VERIFY_DATA_LEN]; 859 u8 hash[MD5_MAC_LEN + SHA1_MAC_LEN]; 860 861 if (ct != TLS_CONTENT_TYPE_HANDSHAKE) { 862 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; " 863 "received content type 0x%x", ct); 864 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 865 TLS_ALERT_UNEXPECTED_MESSAGE); 866 return -1; 867 } 868 869 pos = in_data; 870 left = *in_len; 871 872 if (left < 4) { 873 wpa_printf(MSG_DEBUG, "TLSv1: Too short record (left=%lu) for " 874 "Finished", 875 (unsigned long) left); 876 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 877 TLS_ALERT_DECODE_ERROR); 878 return -1; 879 } 880 881 if (pos[0] != TLS_HANDSHAKE_TYPE_FINISHED) { 882 wpa_printf(MSG_DEBUG, "TLSv1: Expected Finished; received " 883 "type 0x%x", pos[0]); 884 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 885 TLS_ALERT_UNEXPECTED_MESSAGE); 886 return -1; 887 } 888 889 len = WPA_GET_BE24(pos + 1); 890 891 pos += 4; 892 left -= 4; 893 894 if (len > left) { 895 wpa_printf(MSG_DEBUG, "TLSv1: Too short buffer for Finished " 896 "(len=%lu > left=%lu)", 897 (unsigned long) len, (unsigned long) left); 898 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 899 TLS_ALERT_DECODE_ERROR); 900 return -1; 901 } 902 end = pos + len; 903 if (len != TLS_VERIFY_DATA_LEN) { 904 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected verify_data length " 905 "in Finished: %lu (expected %d)", 906 (unsigned long) len, TLS_VERIFY_DATA_LEN); 907 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 908 TLS_ALERT_DECODE_ERROR); 909 return -1; 910 } 911 wpa_hexdump(MSG_MSGDUMP, "TLSv1: verify_data in Finished", 912 pos, TLS_VERIFY_DATA_LEN); 913 914 #ifdef CONFIG_TLSV12 915 if (conn->rl.tls_version >= TLS_VERSION_1_2) { 916 hlen = SHA256_MAC_LEN; 917 if (conn->verify.sha256_server == NULL || 918 crypto_hash_finish(conn->verify.sha256_server, hash, &hlen) 919 < 0) { 920 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 921 TLS_ALERT_INTERNAL_ERROR); 922 conn->verify.sha256_server = NULL; 923 return -1; 924 } 925 conn->verify.sha256_server = NULL; 926 } else { 927 #endif /* CONFIG_TLSV12 */ 928 929 hlen = MD5_MAC_LEN; 930 if (conn->verify.md5_server == NULL || 931 crypto_hash_finish(conn->verify.md5_server, hash, &hlen) < 0) { 932 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 933 TLS_ALERT_INTERNAL_ERROR); 934 conn->verify.md5_server = NULL; 935 crypto_hash_finish(conn->verify.sha1_server, NULL, NULL); 936 conn->verify.sha1_server = NULL; 937 return -1; 938 } 939 conn->verify.md5_server = NULL; 940 hlen = SHA1_MAC_LEN; 941 if (conn->verify.sha1_server == NULL || 942 crypto_hash_finish(conn->verify.sha1_server, hash + MD5_MAC_LEN, 943 &hlen) < 0) { 944 conn->verify.sha1_server = NULL; 945 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 946 TLS_ALERT_INTERNAL_ERROR); 947 return -1; 948 } 949 conn->verify.sha1_server = NULL; 950 hlen = MD5_MAC_LEN + SHA1_MAC_LEN; 951 952 #ifdef CONFIG_TLSV12 953 } 954 #endif /* CONFIG_TLSV12 */ 955 956 if (tls_prf(conn->rl.tls_version, 957 conn->master_secret, TLS_MASTER_SECRET_LEN, 958 "server finished", hash, hlen, 959 verify_data, TLS_VERIFY_DATA_LEN)) { 960 wpa_printf(MSG_DEBUG, "TLSv1: Failed to derive verify_data"); 961 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 962 TLS_ALERT_DECRYPT_ERROR); 963 return -1; 964 } 965 wpa_hexdump_key(MSG_DEBUG, "TLSv1: verify_data (server)", 966 verify_data, TLS_VERIFY_DATA_LEN); 967 968 if (os_memcmp_const(pos, verify_data, TLS_VERIFY_DATA_LEN) != 0) { 969 wpa_printf(MSG_INFO, "TLSv1: Mismatch in verify_data"); 970 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 971 TLS_ALERT_DECRYPT_ERROR); 972 return -1; 973 } 974 975 wpa_printf(MSG_DEBUG, "TLSv1: Received Finished"); 976 977 *in_len = end - in_data; 978 979 conn->state = (conn->session_resumed || conn->use_session_ticket) ? 980 CHANGE_CIPHER_SPEC : ACK_FINISHED; 981 982 return 0; 983 } 984 985 986 static int tls_process_application_data(struct tlsv1_client *conn, u8 ct, 987 const u8 *in_data, size_t *in_len, 988 u8 **out_data, size_t *out_len) 989 { 990 const u8 *pos; 991 size_t left; 992 993 if (ct != TLS_CONTENT_TYPE_APPLICATION_DATA) { 994 wpa_printf(MSG_DEBUG, "TLSv1: Expected Application Data; " 995 "received content type 0x%x", ct); 996 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 997 TLS_ALERT_UNEXPECTED_MESSAGE); 998 return -1; 999 } 1000 1001 pos = in_data; 1002 left = *in_len; 1003 1004 wpa_hexdump(MSG_DEBUG, "TLSv1: Application Data included in Handshake", 1005 pos, left); 1006 1007 *out_data = os_malloc(left); 1008 if (*out_data) { 1009 os_memcpy(*out_data, pos, left); 1010 *out_len = left; 1011 } 1012 1013 return 0; 1014 } 1015 1016 1017 int tlsv1_client_process_handshake(struct tlsv1_client *conn, u8 ct, 1018 const u8 *buf, size_t *len, 1019 u8 **out_data, size_t *out_len) 1020 { 1021 if (ct == TLS_CONTENT_TYPE_ALERT) { 1022 if (*len < 2) { 1023 wpa_printf(MSG_DEBUG, "TLSv1: Alert underflow"); 1024 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1025 TLS_ALERT_DECODE_ERROR); 1026 return -1; 1027 } 1028 wpa_printf(MSG_DEBUG, "TLSv1: Received alert %d:%d", 1029 buf[0], buf[1]); 1030 *len = 2; 1031 conn->state = FAILED; 1032 return -1; 1033 } 1034 1035 if (ct == TLS_CONTENT_TYPE_HANDSHAKE && *len >= 4 && 1036 buf[0] == TLS_HANDSHAKE_TYPE_HELLO_REQUEST) { 1037 size_t hr_len = WPA_GET_BE24(buf + 1); 1038 if (hr_len > *len - 4) { 1039 wpa_printf(MSG_DEBUG, "TLSv1: HelloRequest underflow"); 1040 tls_alert(conn, TLS_ALERT_LEVEL_FATAL, 1041 TLS_ALERT_DECODE_ERROR); 1042 return -1; 1043 } 1044 wpa_printf(MSG_DEBUG, "TLSv1: Ignored HelloRequest"); 1045 *len = 4 + hr_len; 1046 return 0; 1047 } 1048 1049 switch (conn->state) { 1050 case SERVER_HELLO: 1051 if (tls_process_server_hello(conn, ct, buf, len)) 1052 return -1; 1053 break; 1054 case SERVER_CERTIFICATE: 1055 if (tls_process_certificate(conn, ct, buf, len)) 1056 return -1; 1057 break; 1058 case SERVER_KEY_EXCHANGE: 1059 if (tls_process_server_key_exchange(conn, ct, buf, len)) 1060 return -1; 1061 break; 1062 case SERVER_CERTIFICATE_REQUEST: 1063 if (tls_process_certificate_request(conn, ct, buf, len)) 1064 return -1; 1065 break; 1066 case SERVER_HELLO_DONE: 1067 if (tls_process_server_hello_done(conn, ct, buf, len)) 1068 return -1; 1069 break; 1070 case SERVER_CHANGE_CIPHER_SPEC: 1071 if (tls_process_server_change_cipher_spec(conn, ct, buf, len)) 1072 return -1; 1073 break; 1074 case SERVER_FINISHED: 1075 if (tls_process_server_finished(conn, ct, buf, len)) 1076 return -1; 1077 break; 1078 case ACK_FINISHED: 1079 if (out_data && 1080 tls_process_application_data(conn, ct, buf, len, out_data, 1081 out_len)) 1082 return -1; 1083 break; 1084 default: 1085 wpa_printf(MSG_DEBUG, "TLSv1: Unexpected state %d " 1086 "while processing received message", 1087 conn->state); 1088 return -1; 1089 } 1090 1091 if (ct == TLS_CONTENT_TYPE_HANDSHAKE) 1092 tls_verify_hash_add(&conn->verify, buf, *len); 1093 1094 return 0; 1095 } 1096